Windows Server 2016 introduces several new DNS features including DNS policies for query control, preconfigured IPv6 root hints, support for unknown resource records, and response rate limiting to enhance security against DDoS attacks. The document details the functionalities of DNS policies and demonstrates their applications, while also highlighting the integration of IPv6 and new record types like TLSA for DANE support. It briefly mentions the removal of Network Access Protection from DHCP and upcoming updates related to the Men & Mice suite.

1. Windows Server 2016
what is new in DNS (and IPv6 and DHCP)
1

2. © Men & Mice http://menandmice.com
Windows Server 2016
DNS Policies
Application Load-Distribution with DNS
IPv6 Root-Hints
DANE-Records Support
Support for Unknown DNS Records
Response-Rate-Limiting
Other new Features in Windows Server 2016
2
the features discussed here are based on the
Technical Preview 5 (April 2016)

3. © Men & Mice http://menandmice.com
DNS Policies
DNS policies give fine control about how DNS queries should
be answered by a DNS server
• similar, but more powerful, than BIND 9 views
• Use-cases
• access control for DNS resolvers (prevent open resolver)
• DNS based load-distribution
• blackholing malicious clients
• Filter based on DNS domains or Query-Type
• Geo-Location-Aware DNS answers
• Traffic-Engineering based on time-of-day
• "Split-Brain" DNS configurations (CAUTION!)
3

4. © Men & Mice http://menandmice.com
DNS Policies
Every DNS zone can have one or more
"ZoneScopes"
• each ZoneScope can contain different DNS data (e.g.
different IP-Addresses for the same name)
• the DNS Policy defines, which ZoneScope is used when a
DNS query reaches the DNS server
4

5. © Men & Mice http://menandmice.com
DNS Policy criteria
5
Client Subnet Source address of the query
Transport Protocol either UDP or TCP
Internet Protocol either IPv4 or IPv6
Server Interface IP address
on which interface the query
comes in
domain name an FQDN (wildcards possible)
Query Type
the requested DNS record type
(A/AAAA/MX/SRV etc)
Time of Day Time when the query is received

6. © Men & Mice http://menandmice.com
DNS Policies
DNS Policy criteria can be combined with boolean
expressions ("AND", "OR", "NOT")
Powerful DNS policies are possible …
… that should be used carefully
6

7. © Men & Mice http://menandmice.com
DNS Policies Demo 1
7
restricting DNS
recursion to subnets

8. © Men & Mice http://menandmice.com
DNS Policies Demo 1
Get-DnsServerRecursionScope -Name .
Set-DnsServerRecursionScope -Name . -EnableRecursion $False
Add-DnsServerRecursionScope -Name "Clients" -EnableRecursion $True
Add-DnsServerClientSubnet -Name "MyNetwork" `
-IPv4Subnet "172.22.1.0/24"
!
Add-DnsServerQueryResolutionPolicy -Name "ResolverPolicy" `
-Action ALLOW -ApplyOnRecursion -RecursionScope "Clients" `
-ClientSubnet "EQ,MyNetwork"
8

9. © Men & Mice http://menandmice.com
DNS Policies Demo 2
9
Application load distribution using DNS

10. © Men & Mice http://menandmice.com
DNS Policies Demo 2
Add-DnsServerZoneScope -ZoneName example.com -Name "scope1"
Add-DnsServerZoneScope -ZoneName example.com -Name "scope2"
Get-DnsServerZoneScope -ZoneName example.com
!
Add-DnsServerResourceRecord -A -Name www -ZoneName example.com -IPv4Address 192.0.2.10 `
-ZoneScope "scope1"
Add-DnsServerResourceRecord -A -Name www -ZoneName example.com -IPv4Address 192.0.2.20 `
-ZoneScope "scope2"
Add-DnsServerQueryResolutionPolicy -Name "Scope1LDPolicy" -ZoneName example.com `
-ZoneScope "scope1,4;scope,2" -Action ALLOW -ServerInterfaceIP "EQ,172.22.1.150"
!
Get-DnsServerQueryResolutionPolicy -ZoneName example.com
10

11. © Men & Mice http://menandmice.com
IPv6 root hints
Windows Server 2016 now comes with IPv6 root-
hints preconfigured
• root hints are required for every DNS server to find the
start of all DNS resolution
• Windows Server up to Windows 2012R2 only contain the
IPv4 root-hints for the Internet (however it was possible to
add the IPv6 root-hints manually)
• This change makes it possible to run the Windows DNS
server in an "IPv6-Only" network
11

12. © Men & Mice http://menandmice.com
DANE TLSA Record support
Windows Server 2016 adds support for the TLSA
Resource Record type
• TLSA is required for DANE (DNS Authenticated Named
Entities)
• "pinning" of TLS/SSL certificates via DNSSEC secured DNS
• see our previous webinar "DNSSEC & DANE – E-Mail
security reloaded"
https://www.menandmice.com/resources/educational-resources/webinars/dnssec-and-dane-e-mail-security-reloaded/
12

13. © Men & Mice http://menandmice.com
Demo: TLSA record
13

14. © Men & Mice http://menandmice.com
Demo: TLSA Record
Add-DnsServerResourceRecord -Name _25._tcp `
-ZoneName example.com -TLSA -CertificateUsage DomainIssuedCertificate `
-Selector SubjectPublicKeyInfo -MatchingType Sha256Hash `
-CertificateAssociationData 831B809F32A1A9E8C52A5167A35A979F0719B89D08E9A3302264F99D
14

15. © Men & Mice http://menandmice.com
Support for "Unknown Resource
Records"
With new protocols, new DNS record types are added to
DNS
•URI
• SMIMEA and OPENPGPKEY
• TA and TALINK
• …
RFC 3597 "Handling of Unknown DNS Resource Record
(RR) Types" defines a way to provision a DNS server with
resource records unknown to the server software
15

16. © Men & Mice http://menandmice.com
Support for "Unknown Resource
Records"
the DNS server in Windows 2016 now supports
these unknown resource records
• enables DNS admins to support new protocols which were
not published at the release time of windows server
• the record data is given in hexadecimal notation
• the BIND 9 utility "named-rrchecker" can be used to convert
the data part of an DNS RR into the hexadecimal format
Example: definition of an IPv4 Address "A"-Record:
Add-DnsServerResourceRecord -Name www -ZoneName example.com -Type 1 -RecordData "0A000001"
16

17. © Men & Mice http://menandmice.com
Demo: Unknown RRs
17

18. © Men & Mice http://menandmice.com
Demo: Unknown RRs
The Uniform Resource Identifier (URI) DNS Resource
Record:
https://tools.ietf.org/html/rfc7553
!
> echo 'IN URI 10 1 "http://www.example.com/path"' | named-rrchecker -u
CLASS1 TYPE256 # 31 000a0001687474703a2f2f7777772e6578616d706c652e636f6d2f70617468
!
PowerShell> Add-DnsServerResourceRecord -Name _http._tcp -ZoneName example.com `
-Type 256 -RecordData "000a0001687474703a2f2f7777772e6578616d706c652e636f6d2f70617468"
18

19. © Men & Mice http://menandmice.com
Response Rate Limiting
DNS responses from DNS servers in the Internet
(Authoritative or DNS resolver) can be mis-used for
denial of service attacks
• A problem for a long time, but has been especially popular
with attackers in the last five years
• For additional coverage on this topic, watch our webinar
"The dangers of DNS reflection attacks"
https://www.menandmice.com/resources/educational-resources/webinars/the-dangers-of-dns-reflection-attacks/
19

20. © Men & Mice http://menandmice.com
What is the problem
20
DNS is UDP "stateless"
communication
source IP addresses can be
spoofed
some DNS
Server in the Internet
Source IP
Address
"spoofed"
Answer is
delivered to the
owner of the
"spoofed" IP
Address

21. © Men & Mice http://menandmice.com
What is the problem
21
There are many many DNS
servers to be found in the Internet

22. © Men & Mice http://menandmice.com
One Solution: Response Rate Limiting (RRL)
• RRL was developed by Vernon Schryver and Paul Vixie
and implemented in BIND 9, NSD, Knot and PowerDNS. It
is now also available in Windows Server 2016.
• as all DNS queries should go through a caching server
• identical queries should not be seen from the same
source inside the TTL (Time to Live)
• if the DNS server sees (many) recurring queries within
the TTL, it is likely an attack
22

23. © Men & Mice http://menandmice.com
One Solution: Response Rate Limiting (RRL)
• response rate limiting counts the number of
identical responses sent to a given network
• will throttle outgoing responses if too much
identical responses are sent
• allows legit clients in the victims network to still
resolve DNS data
23

24. © Men & Mice http://menandmice.com
One Solution: Response Rate Limiting (RRL)
• in case an attack is detected, (almost) empty
answers are sent with "TC" flag set
• "TC" flag = answer truncated, retry over TCP
• real caching DNS server will repeat the query over
TCP (slower, but harder to spoof)
24

25. © Men & Mice http://menandmice.com
One Solution: Response Rate Limiting (RRL)
•RRL enabled on an authoritative server
25

26. © Men & Mice http://menandmice.com
Demo: RRL
26

27. © Men & Mice http://menandmice.com
Miscellaneous news
DHCP: Network Access Protection (NAP) has been removed
from DHCPv4 in Windows Server 2016
Containers with Docker: lightweight separation of
Applications on a single Windows Server 2016 instance (can be
used to separate a DNS or DHCP server)
Nano-Server: minimal Windows Server 2016 image without
GUI. Can be used to create a lightweight DNS-Server
deployment
Software Defined Networking (SDN) and Layer-4 Load-
Balancer: load-balance DNS server (for example DNS resolver)
27

28. © Men & Mice http://menandmice.com
Release Dates
Windows Server 2016 will be released in Q3 2016
Men & Mice Suite 7.3 (September 2016) will
support Windows Server 2016
Many of the new features will be supported in the
Men & Mice GUI and Web-UI
28

29. © Men & Mice http://menandmice.com
Upcoming Webinar
June 9th, 2016 - Yeti-DNS
!
Yet-DNS - an international research project
on the DNS root-server system
Interview with Shane Kerr of BII
How-To participate in Yeti-DNS with a
DNS resolver
29

30. © Men & Mice http://menandmice.com
Thank you!
!
Questions? Comments?
30